Lucene search

Veracode Vulnerability DatabaseVERACODE:45957

HistoryMar 21, 2024 - 5:49 a.m.

Cross-Site Request Forgery (CSRF)

2024-03-2105:49:55

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross-site request forgery

csrf

vulnerability

apache wicket

fetchmetadataresourceisolationpolicy

6.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Apache Wicket is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability is caused due to an error in the evaluation of the fetch metadata headers within FetchMetadataResourceIsolationPolicy.java. This allows an attacker to bypass the Cross-Site Request Forgery (CSRF) protection mechanism.

CPENameOperatorVersion
wicket corele9.16.0
wicket corele10.0.0-M2
wicket corele9.16.0
wicket corele10.0.0-M2

Name	Operator	Version
wicket core	le	9.16.0
wicket core	le	10.0.0-M2
wicket core	le	9.16.0
wicket core	le	10.0.0-M2

References

www.openwall.com/lists/oss-security/2024/03/19/2

github.com/advisories/GHSA-8vvp-525h-cxf9

github.com/apache/wicket/commit/31f24a04186ab42a411f1337935e06f67306fad8

github.com/apache/wicket/commit/bec08867c4330ab994e84cb3b82be65e23e4ad6e

lists.apache.org/thread/o825rvjjtmz3qv21ps5k7m2w9193g1lo